如何将SameSite属性自动添加到我的Asp.net_SessionID cookie中? [英] how SameSite attribute added to my Asp.net_SessionID cookie automatically?

问题描述

最近samesite = lax自动添加到我的会话Cookie中！ 此属性仅添加到sessionID中: "Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"

Recently samesite=lax add automatically to my session cookie! this attribute just add to sessionID: "Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"

我的网站托管在IIS 8.5，Windows 2012 R2上，并且没有WAF或UrlRewrite，因此我关闭了AntiVirus(kasper).

My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper).

但在某些客户服务器上仍然存在相同的问题.

but yet have same problem on some customer servers.

有什么主意吗?

已编辑: 我发现这个: https://support.microsoft.com/en-us/help/4524419/kb4524419

EDITED: I Find this: https://support.microsoft.com/en-us/help/4524419/kb4524419

现在，当HttpCookie.SameSite值设置为"None"时，ASP.NET将发出SameSite cookie标头，以适应即将在Chrome中对SameSite cookie处理进行的更改.作为此更改的一部分，尽管可以在web.config中覆盖这些值，但FormsAuth和SessionState cookie也将使用SameSite ='Lax'发出，而不是以前的默认值'None'.

ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is 'None' to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.

如何在web.config中为SessionState覆盖相同站点的cookie? 我添加了这一行，但不适用于SessionID cookie！ <httpCookies sameSite="Unspecified" />

How can i overridde samesite cookies for SessionState in web.config? i add this line, but it not work on SessionID cookie! <httpCookies sameSite="Unspecified" />

已编辑:我发现了这一点:

EDITED: I find this: https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite

通过SessionState标记的"cookieSameSite"属性为状态服务器设置相同站点.

Set samesite for stateserver by "cookieSameSite" attribute of SessionState tag.

推荐答案

我无法使用重写功能，因为UrlRewrite并未安装在我所有的客户服务器上.

I can't use rewrite, because UrlRewrite not installed on all my customers servers.

最后，我将cookieSameSite添加到我的web.config:

Finally i add cookieSameSite to my web.config:

<sessionState mode="StateServer" cookieSameSite="None" sqlConnectionString="data source=(local);user id=sa;password=" cookieless="false" timeout="20" />

这篇关于如何将SameSite属性自动添加到我的Asp.net_SessionID cookie中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！